Russian electronics giant hit by data leak.
With a yearly revenue of more than $33 million, Pult.ru has 15 physical shops across various cities in Russia, and more than one million monthly visitors to its online shop.
Recently, the Cybernews research team discovered a misconfiguration in the Pult.ru system that exposed sensitive credentials. By exploiting them, malicious actors could have gained access to the company’s business automation systems, extracted clients’ and employees’ private data, or entirely taken over the application instance.
Cybernews reached out to Pult.ru, the Russian Computer Emergency Response Team (CERT-RU), and the company’s hosting provider. While the access was secured, the company has not responded to journalists’ inquiries for comment.
Open gateway to business secrets
On February 17th, the Cybernews research team discovered a publicly accessible environment file (.env) belonging to Pult.ru. The file was publicly accessible for almost two years.
A case serves as a stark reminder of the importance of securing access to environment files, as they might expose critical data and potentially provide threat actors with an array of cyberattack options.
Among many leaked credentials, the environment file exposed logins to the Sitebot database needed for Enterprise Resource Planning (ERP) software and credentials for 1C – a business automation system.
The company uses these systems to manage day-to-day business activities such as accounting, project management, compliance, and supply chain operations.
The exposure of these credentials is hazardous because ERP systems could become a goldmine not only for malicious actors, but competitors as well.
The exposed data might be used to access sensitive finance-related data, information about the company’s logistics and delivery management, intellectual property, or Content Management Systems (CRM).
Moreover, business automation tools might contain a treasure trove of private data of company employees, exposing payroll data, the company’s private documents, and invoices.
Researchers also found the URL and key to RetailCRM. Exposing these details might be risky, as threat actors could gain access to order processing data and analytics, revealing private business-related and client information.
Furthermore, the discovered credentials for RabbitMQ, a message-queueing software, could help malicious actors access the AMQP broker and possibly retrieve messages.
Access to Telegram and Sbermegamarket
The environment file exposed merchant IDs and tokens that Pult.ru used for accessing the Russian e-commerce platform Sbermegamarket. The marketplace belongs to a state-owned Russian bank – Sberbank.
Although no passwords were exposed, the malicious actors could have used publicly available IDs and tokens to hijack Pult.ru business accounts on the platform.
The file revealed two Telegram Channel IDs – ‘Errors’ and ‘SberOrders’, also related to the orders from Sbermegamarket.
A malicious actor could exploit this data to access the information stored within the Telegram channels, read conversations regarding orders, and see information about clients.
Access to the source code
The environment file also contained the Secure Socket Shell (SSH) URL used to access the Git repository, where the company’s code is stored.
While Git can not be accessed without an SSH key, the repository URL reveals where to access the source code, the account used to establish the repository, and the repository name.
By exploiting the leaked Git details, malicious actors could potentially launch targeted attacks against the repository’s creator.
If web access to the developer account had not been disabled, attackers could have potentially phished the developer or gained unauthorized access to the repository through a web interface.
Dangers of the leak
The gravity of the leak lies in the fact that it could have allowed malicious actors to gain complete control over the company’s internal networks, thereby enabling them to move laterally within the system and escalate privileges.
Given the number of secrets and credentials found in the environment file, exposed data could enable threat actors to carry out numerous attacks on the company, including sophisticated social engineering attacks such as phishing and scam marketing campaigns as well as malware and ransomware attacks.
Cybernews recommends that Pult.ru take immediate action to reset all credentials, tokens, passwords, and IDs associated with its internal systems.
The company should also consider using strong, randomly generated passwords for enhanced security. Strong passwords can be created using password generators, like the one created by Cybernews.
Since account and repository names are usually permanent in Git, the best approach would be to request the removal of the indexed material from search engines.
Source: CyberNews
Have a query? Contact Us